Category Archives: Data Security

Subscribe to Data Security RSS Feed

US Breach Laws Are Coming: Vermont

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security
On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers … Continue Reading

US Breach Laws Are Coming: South Carolina

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security
In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is … Continue Reading

Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

By Sheppard Mullin on Posted in Consumer Privacy, Data Security, EU Privacy
UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, … Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Protection, Data Security
Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, … Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security
The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. … Continue Reading

California Pioneers IoT Security Legislation

Liisa ThomasBy Liisa Thomas on Posted in Consumer Privacy, Data Security, Online Privacy
California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of … Continue Reading

Upcoming Canadian Breach Notification Requirements Still in Flux

Kari RollinsBy Kari Rollins on Posted in Breach, Canada, Data Security
Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations.  These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April 2018, in preparation for the … Continue Reading

New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers

Kari RollinsDavid PoellBy Kari Rollins and David Poell on Posted in Data Security, Online Privacy
In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing … Continue Reading

Two Cyber Laws Go Into Effect Over US Labor Day Weekend

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security
On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies … Continue Reading

Unixiz Settles COPPA Allegations with NJ AG

Liisa ThomasBy Liisa Thomas on Posted in Children's Privacy, COPPA, Data Breach, Data Security, Online Privacy
Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental … Continue Reading

DOJ Report Suggests Direction For Addressing Cyber Threats

Jonathan E. MeyerBy Jonathan E. Meyer on Posted in Cybersecurity, Data Security, Government Privacy
As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding … Continue Reading

Vermont Is First Mover Regulating Data Brokers

Liisa ThomasAlyssa ShauerBy Liisa Thomas and Alyssa Shauer on Posted in Data Protection, Data Security
Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about … Continue Reading

Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

Matthew ShatzkesBy Matthew Shatzkes on Posted in Data Breach, Data Security, Healthcare Privacy
A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific … Continue Reading

Colorado Enacts Stringent Data Breach Notification Law

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security
Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username … Continue Reading

Colorado Joins States in Passing Data Protection Requirements

Liisa ThomasBy Liisa Thomas on Posted in Data Security
Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social … Continue Reading

Louisiana Adds Data Security Requirements to Breach Notice Law

Liisa ThomasBy Liisa Thomas on Posted in Data Protection, Data Security
Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies … Continue Reading

FTC Outlines Expected Privacy Program Elements in BLU Settlement

Liisa ThomasBy Liisa Thomas on Posted in Consumer Privacy, Data Security, FTC, Mobile Privacy
The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then … Continue Reading

And Then There Was None: Alabama Becomes 50th State With Breach Notice Law

Liisa ThomasBy Liisa Thomas on Posted in Data Breach, Data Security, Privacy
Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a … Continue Reading
LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree